Internet Access from Inside to Outside ASA 5510 ver 9.1
Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
I get errors like this when I try Packet Tracer:
(nat-xlate-failed) NAT failed
(acl-drop) Flow is denied by configured rule
Version Information:
Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)
Compiled on Thu 05-Dec-13 19:37 by builders
System image file is "disk0:/asa914-k8.bin"
Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
Thank You!
Config:
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name
inside.int
enable password <redacted> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <redacted> encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.199.199.123 255.255.255.240
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.199.199.4
domain-name
inside.int
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
access-group INSIDE-IN in interface Inside
access-group OUTSIDE-IN in interface Outside
router rip
network 10.0.0.0
network 199.199.199.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <redacted> password <redacted> encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:
<redacted>
: end
SH NAT:
ASA5510# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic inside-net interface
translate_hits = 0, untranslate_hits = 0
SH RUN NAT:
ASA5510# sh run nat
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
SH RUN OBJECT:
ASA5510(config)# sh run object
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
Hi all,Hello everyone, I need some help before my head explodes. Idddddddd
Hello Mitchell,
First of all how are you testing this:
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
Take in consideration that the netmask is /30
The Twice NAT is good, ACLs are good.
do the following and provide us the result
packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
And provide us the result!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
Note: Check my website, there is a video about this that might help you.
http://laguiadelnetworking.com
Similar Messages
-
Access from Inside to Outside ASA 5510 ver 9.1
Hi All,
I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
Thank you for the help!
ASA5510(config)# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.100 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
CISCO 2811:
Current configuration : 2601 bytes
! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RouterDeMitch
boot-start-marker
boot system flash
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
no aaa new-model
dot11 syslog
ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 172.16.10.1 172.16.10.49
ip dhcp excluded-address 172.16.20.1 172.16.20.49
ip dhcp pool Mitchs_Network
network 192.168.1.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 192.168.1.1
ip dhcp pool VLAN10
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
ip dhcp pool VLAN20
network 172.16.20.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 172.16.20.1
no ip domain lookup
ip name-server 199.195.168.4
ip name-server 205.171.2.65
ip name-server 205.171.3.65
ip name-server 8.8.8.8
multilink bundle-name authenticated
crypto pki token default removal timeout 0
redundancy
interface FastEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
interface FastEthernet0/1.3
description Trunk Interface VLAN 1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
interface Dialer0
no ip address
router rip
version 2
network 172.16.0.0
network 192.168.1.0
network 199.195.168.0
no auto-summary
ip default-gateway 10.10.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
access-list 1 permit any
dialer-list 1 protocol ip permit
control-plane
line con 0
exec-timeout 0 0
password encrypted
login
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
scheduler allocate 20000 1000
endI made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd liqhNWIOSfzvir2g encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.123 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
object-group network PAT-SOURCE
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 10.10.1.0 255.255.255.252
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Message was edited by: Mitchell Tuckness -
ASA access from inside to outside interface
Hi
We need to make acces on our ASA device from inside network to outside interface.
The situation is next:
We have public external ip address and we need to access it from our inside network.
Can you please tell me if it is possible to do this?
Thank you.That's right, the solution is named Hairpinning aka U-turn.
The dynamic rule was the one suggested in my first reply:
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one -
how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
for example, allow JPEG, MOV, AVI data flow from outside to inside
but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
how to configure?Hi,
The ZBF link sent earlier show how we can inspect URI in http request
parameter-map type regex uri_regex_cm
pattern “.*cmd.exe”
class-map type inspect http uri_check_cm
match request uri regex uri_regex_cm
ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
Thanks -
i ave an ipad 2 with wifi only, can i get internet access from any cell phone, or do i need a specific phone or type of phone
I received an iPad 2 for Christmas (the 1st Apple item I've ever owned!) and own a Nokia N95 8GB mobile (that's pretty much on its last legs/ready to die any day).
On the Nokia I've got 2 apps (downloaded from/via Nokia's 'Ovi' app store): JoikuSpot & HandyWi. Both are the free versions.
I've not used HandyWi much - if at all - but JoikuSpot has been great. Basically, it creates a wifi hotspot (as pjl123 mentioned) in a couple of straightforward steps, and allows a few devices to be connected. It displays who/what is connected at a given time - so you can check if the guy having coffee behind you is piggybacking your hotspot or not! - data packets sent received etc.
The paid version has the benefit of allowing you to secure the hotspot and other security features. Their website is www.joiku.com, FYI.
Given how slow behind the 8 ball Nokia has been, their phones are getting cheaper and cheaper - given Joiku's meant to work with Nokia S60, Symbian ^3, Maemo, Meego & Sony Ericsson S60, this might be a cost effective option.
Ps. Ah! One more thing - Joiku's website specifies that 3G must be used; that WAP will not work. Good luck, enjoy! -
ASA 5510 traffic from inside to outside
Hello,
I'm working on a basic configuration of a 5510 ASA.
inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24
config is as follows:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 141.0.x.0 255.255.255.0
interface Ethernet0/1
nameif INSIDE
security-level 50
ip address 192.168.23.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
Any ideas please?Version of FW:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)
Output of Packet-Trace Command is:
SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 107, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow -
Permit traffic from Inside to Outside, but not Inside to medium security interface
Can someone just clarify the following. Assume ASA with interfaces as :
inside (100) (private ip range 1)
guest (50) (private ip range 2)
outside (0) (internet)
Example requirement is host on inside has http access to host on outside, but it shouldn’t have http access to host on guest – or any future created interfaces (with security between 1-99).
What’s the best practice way to achieve this?Hi,
The "security-level" alone is ok when you have a very simple setup.
I would suggest creating ACLs for each interface and use them to control the traffic rather than using the "security-level" alone for that.
If you want to control traffic from "inside" to any other interfaces (and its networks) I would suggest the following
Create and "object-group" containing all of the other network
Create an ACL for the "inside" interface
First block all traffic to other networks using the "object-group" created
After this allow all rest of the traffic
In the case where you need to allow some traffic to the other networks, insert the rule at the top of the ACL before the rule that blocks all traffic to other networks
For example a situation where you have interfaces and networks
WAN
LAN-1 = 10.10.10.0/24
LAN-2 = 10.10.20.0/24
DMZ = 192.168.10.0/24
GUEST = 192.168.100.0/24
You could block all traffic from "LAN-1" to any network other than those behind the "WAN" interface with the following configuration.
object-group network BLOCKED-NETWORKS
network-object 10.10.20.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list LAN-1-IN remark Block Traffic to Other Local Networks
access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-1-IN remark Allow All Other Traffic
access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
This should work if your only need is to control the traffic of the interface "LAN-1". If you want to control each interfaces connections to the others then you could do minor additions
Have all your local networks configured under the "object-group"This way you can use the same "object-group" for each interface ACL
object-group network BLOCKED-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list LAN-1-IN remark Block Traffic to Other Local Networks
access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-1-IN remark Allow All Other Traffic
access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
access-list LAN-2-IN remark Block Traffic to Other Local Networks
access-list LAN-2-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-2-IN remark Allow All Other Traffic
access-list LAN-2-IN permit ip 10.10.20.0 255.255.255.0 any
access-list DMZ-IN remark Block Traffic to Other Local Networks
access-list DMZ-IN deny ip any object-group BLOCKED-NETWORKS
access-list DMZ-IN remark Allow All Other Traffic
access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any
access-list GUEST-IN remark Block Traffic to Other Local Networks
access-list GUEST-IN deny ip any object-group BLOCKED-NETWORKS
access-list GUEST-IN remark Allow All Other Traffic
access-list GUEST-IN permit ip 192.168.100.0 255.255.255.0 any
Then you could basically use the same type ACLs in each interface. (Though still separate ACLs for each interface) And as I said if you need to open something between local networks then insert the correct "permit" tule at the top of the ACL.
Hope this helps
- Jouni -
How can I permit all traffic from inside-dmz-outside on asa5505
Scenario :
Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
Router LAN IP: 83.111.X.X - 255.255.255.X
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 83.111.X.X 255.255.255.240
interface Vlan3
nameif dmz
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 83.111.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
: endHi Ben,
Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case?
What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI. Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
Thanks again for the suggestion,
Frank
Attachments:
Front Panel Reference.vi 33 KB -
RDP from inside to outside using PAT?
I have several client machines( inside) that needs to have an RDP access to one server(outside) reside on customer site. The challenge is that the clinet machines can be anywhere/any subnet at any given time and will have different IP address from DHCP.Because of this i can't use the static NAT. Also, I only need RDP access from my network to the customer server only. So will it work if i use PAT? Thanks for the help in advance
Hello Sandeep,
In my opinion there shouldnt be any issue since you are Natiing the RDP clients to a single IP. As long as we have static nat and permission at the destination ( Server Side) it should work
Hope it helps
Harish. -
How to allow ping from inside to outside in 2900 router?
Hi,
I have a Cisco router 2900 with firewall, i need to know how can i allow the ping from self zone to outside zone, i trried to create policy from self to outside but i still didn't allow ping or tracert, i get that message when i try to ping from cisco router:
"Unrecognized host or address, or protocol not running"
any help will be appreciated.
Thank youHi jcarvaja
here is the used configuration:
Building configuration...
Current configuration : 5584 bytes
! Last configuration change at 09:00:20 UTC Tue Apr 9 2013 by admin
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
hostname Router
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
no logging console
enable secret 5
no aaa new-model
no ipv6 cef
ip source-route
ip gratuitous-arps
ip icmp rate-limit unreachable 1
ip cef
ip name-server 163.121.128.134
ip name-server 163.121.128.135
ip port-map user-custom-fleet port tcp 2000 list 1
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-324261422
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-324261422
revocation-check none
crypto pki certificate chain TP-self-signed-324261422
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323432 36313432 32301E17 0D313330 34303930 38343034
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 34323631
34323230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B8ABD60F 8C879B3B BC1C1643 48059AD2 F940A700 6D58161E 37D53E6E E028B806
61EAA942 CED2A3C6 3FB3A47E 20E05B10 0941A9D8 38FFA6F9 D2B9E52C 225A57BA
14F8842A A26E7E02 38E9F7C8 328504D0 5C3EEE41 CC75B237 BBD07CBA 1A850540
2A5AAFAD 4553FB03 0E366211 9AC09967 4DC03082 0AF546A3 F6AA2739 1D8A8AA9
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801428 FEEB3910 B7A1D374 1F86BCD5 96CEDF75 8DF11E30 1D060355
1D0E0416 041428FE EB3910B7 A1D3741F 86BCD596 CEDF758D F11E300D 06092A86
4886F70D 01010405 00038181 006BBF7A 430905F6 D5B27B0D 96315504 87816DAA
B5EA86D9 6E9A1D58 7B328C88 A6A358D0 00D035A9 8CDDEC41 15AF0108 F5CB1072
B0485D7D CFC0D0CB 71E9B153 FB7B8B40 40C157E4 B254D01C 890D615F D8395545
F0B47E0B 57341EB2 C0CE0039 DC18EAD6 078986F0 A5A5D04F D5041DB6 23CAA002
4901248C 95B61A0B 3ED5B26A EF
quit
license udi pid CISCO2901/K9 sn FCZ1526C3JL
object-group service Outside-Reply
icmp echo-reply
username admin privilege 15 secret 5
redundancy
ip finger
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any Deny_ALL
match access-group name dwdwd
class-map type inspect match-any Inside-Outside
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any ICMP_RQST
match protocol icmp
policy-map type inspect Inside-Outside
class type inspect Inside-Outside
inspect
class class-default
drop
policy-map type inspect Self_to_Outside
class type inspect ICMP_RQST
inspect
class class-default
drop
policy-map type inspect Outside_to_Self
class type inspect Deny_ALL
pass log
class class-default
drop
zone security IN
zone security OUT
zone-pair security Self_to_Outside source self destination OUT
service-policy type inspect Self_to_Outside
zone-pair security Outside_to_Self source OUT destination self
service-policy type inspect Outside_to_Self
zone-pair security Inside-Outside source IN destination OUT
service-policy type inspect Inside-Outside
interface GigabitEthernet0/0
ip address 101.101.100.245 255.255.255.0
ip mask-reply
ip directed-broadcast
ip flow ingress
duplex auto
speed auto
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 49.31.152.80 255.255.255.248
ip mask-reply
ip directed-broadcast
ip flow ingress
zone-member security IN
duplex auto
speed auto
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type q933a
interface Serial0/0/0.16 point-to-point
description $FW_OUTSIDE$
ip address 172.17.18.122 255.255.255.252
ip mask-reply
ip directed-broadcast
ip flow ingress
ip verify unicast reverse-path
zone-member security OUT
frame-relay interface-dlci 16
interface Serial0/0/1
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
shutdown
clock rate 2000000
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16
ip identd
ip access-list extended ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended deeef
remark CCP_ACL Category=128
permit ip any any
ip access-list extended dwdwd
remark CCP_ACL Category=1
permit object-group Outside-Reply any any
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 196.219.234.77
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 101.101.100.0 0.0.0.255
access-list 2 permit 10.20.10.0 0.0.1.255
no cdp run
control-plane
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input all
line vty 5 15
login local
transport input all
scheduler allocate 20000 1000
end -
No internet access from WRT54G router -see details please-
I have a westell 6100 modem with Verizon high speed internet.
I was given these instructions for my modem by Verizon for the router to work and it still doesn't. what do I need to do?
3. Click on Network Connections in the left navigation menu.
4. Click on Broadband Connection (DSL) to continue to the Broadband Connection.
5. Locate the VPI VCI of 0 & 35 under VCs and click the Edit icon.
6. Verify that the VC Status is Enabled and that the VPI & VCI are 0 and 35 respectively.
7. Change the Protocol drop down menu to Bridge then change the Bridge Mode: drop down menu to Bridge and click Apply.
8. Select OK to allow the modem to reset and apply the new changes.
9. Click on My Network in the top navigation bar.
10. Click on Network Connections.
11. Click on LAN.
12. Remove the check mark from the Private LAN DHCP Server Enable field.
13. Verify that the Private LAN is now off and click on Apply.
windows 7
I can connect to "linksys" as a wireless network, but get no internet access. Please help! Thank you!The settings that you provided is for the modem so I suppose you can able to go online with modem… Please let me know the IP address that you receiving from the modem… Since the connection that you have is DSL connection and if you are receiving the IP address from the modem under LAN (Local Area Connection) is a Private IP address (192.168.X.X) then follow the steps:
# Connect the modem with the Linksys Router WRT54G on the Internet Port and then connect the Computer on any of the Ethernet Port on the Router (Numbered – 1, 2, 3 and 4)…
# Open up the browser and on the address bar type 192.168.1.1 that will open up the Router setup page…
# Look for the Local IP Address and change it to 192.168.2.1 …
# Click Save Settings...
# Then Click on wireless Tab create the Wireless Network Name SSID and select the channel to 6, 9, and 11… Click Save Settings...
# Then Click on Wireless Security sub tab and select the security mode and provide the password as per the requirement… Click Save Settings...
# Click on Status Tab on the Router Setup page check if Internet IP Address has numbers or values. If the Internet IP Address has numbers, the computer should now be able to access the Internet. If the IP address is all zeroes (0.0.0.0) click "IP Address Release" first then click "IP Address Renew". If the IP address is still all zeroes, enable PPPoE on the router.
To enable PPPoE on the router you should have a username and password provided by the ISP (Internet Service Provider) and follow the steps...
# Under the Setup tab, set the Internet Connection Type to PPPoE…
# Enter the Username and Password that your ISP provided, including the domain in the User Name field if necessary…
# Click Save Settings...
# Then Click on wireless Tab create the Wireless Network Name SSID and select the channel to 6, 9, and 11… Click Save Settings...
# Then Click on Wireless Security sub tab and select the security mode and provide the password as per the requirement… Click Save Settings...
# Click the Status tab then look for Login Status and check if it says Connected. If it’s connected, you should be able to access the Internet.
After doing the following settings then connect the wireless computer the preferred Network… Once it gets connected you will be online wirelessly as well… -
Time Capsule - how to gain "over-the-internet" access from Windows 7!
Hi guys,
I've been fighting for such a long time with my Time Capsule. I have no idea how to gain access "over-the-internet" on a PC (Windows 7) which is running on another network. My Time Capsule is set up with my Macbook Pro at home running Lion OSX, and i have internet connection. My brother who also uses Macbook has no problems connecting to my Time Capsule - through finder (connect to a server). But how do I gain "over-the-internet" access to my Time Capsule through a PC (Windows 7) from my office? Is there please someone who can guide me step-by-step, how to gain connection to my TC through a PC? Or maybe just an explantaion what has to be done on the PC before this thing can work out! This was the main reason to why i bought Time Capsule - besides of the Time Machine function. I also have an iCloud account (earlier Mobile Me), if that makes any difference.
Thanks!There is no way to do it from windows direct to the TC.
It only presents AFP to the WAN side. And most ISP block SMB from internet access due to risks. There is AFAIK, no suitable AFP protocol utility for windows at the moment. If you google and find one, be aware it probably will not work to your satisfaction anyway.
You must use a Mac to access AFP but even then it is not a secure protocol and I would recommend against it anyway.
So basically if you had have asked before purchasing, I would have said, TC is unsuitable product. It is a backup drive for a Mac. It is not a NAS.. it is not designed for remote access by any computer other than a Mac. It does not support any other file protocol to the WAN interface.. and no secure protocol even there.
A NAS with Time Machine extensions from QNAP, Synology, Netgear all are designed for web access and are far more suitable. Researching a purchase beforehand is always worthwhile.
Anyway, your choices are.. return the TC and buy something more suited to the job.
Or if return is now impossible sell the TC on ebay.. etc and do the same thing.. buy a more suitable NAS.
Or buy a cheap mac mini (even second hand) and use that for communications with home.
Or, replace your current router with something that includes vpn. This is actually a good and commercially sound decision. VPN is generally used by business to connect to remote locations, because it is secure and will allow the greatest flexibility of connection. How hard or easy depends on the current setup. I would recommend a combined modem router with vpn server if you have adsl. Or for cable you can find plenty of routers with combined vpn. You can also use those for adsl if your ISP allows pppoe with bridged modem. The TC will have to be bridged as well. For other broadband it might be harder to find the right kind of box.
Once you setup a vpn you can access it from work using the appropiate vpn client in your work computer. -
No internet access from my airport
Hi there,
I have a problem with my two airport express. I'll explain first my config
I have one Router (from the internet provider so not apple) connected to an ADSL line with ethernet hardwired Conections to both Airport express.
the to AE have the same name (SSID) and password and are configured as Create a new Network. this allow me not only to extend my Network reach but also to use the jack conections in 2 different rooms for 2 difrerent Hifi systems for the airplay feature. they are in bridge mode.
the Router from my Internet provider as a different SSID on purpose because I don't want my computer to connect to that one when I'm closer to it since I always had more transmission problems with the airplay when connected to a non apple Router. the sound is often cut while with the AE it always flows better.
the problem is that the airplay works but the internet connection is very bad, I mean it last minutes to open a page, and if I want to surf from my computer I have to choose the other SSID and then no problem.
when I open the airport utility I can see that sometimes it's all green but the internet switch constantly from green to yelow.
I'm just in the process of changing my internet provider which means that I actually have in this moment 2 internet connections and 2 routers from 2 diff providers and therefore have made the test with boths of them with the same result.
that's it. Any idea?
thanks in advanceHi,
this is getting worse. as I was unable to solve the problem I decided to start from scratch and therefore I have reset to default values my 2 Airports.
then in my airport utility I only have the Internet access, the earth globe, and it's green, so I can surf the web by connecting to the SSID of the router of my internet provider.
then I plug into the power one airport. It appears in the left-hand upper corner of the Airport utility. I click on it ( at that moment my wifi is not anymore to the Internet router but to the airport itself) and follow the steps to configure it.
it say that it will be configured to create a network so I give him same SSID and pwd as the one from the OLO provider, it tells me to connect the cable to the Router, i do it and it goes to the next step where it asks me to switch off for few minutes the internet router and switch it on again. I do it and after a while it says that an error occured while confiring the airport.
At that moment I loose access to my airport, I does not appear neither on the Wifi panel as its MAC address (or whatever the hexa number is) nor within the airport utility as an airport connected to my internet router.
so the only way left to get back to it is to reset it again.
I did this process with the 2 airports, and met the same problem so I guess I'm doing something wrong.
where is my mistake ?
thanks in advance. -
Securely Access Exchange Server 2007 through ASA 5510 using Outlook
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510? Any help is much appreciated!
~JohnHi John,
For that scenario, a remote access VPN is probably the best way to go (either the traditional IPSec client or SSL VPN/AnyConnect). This config guide lists your options on the ASA:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html
-Mike -
Mi424wr-gen3I no internet access from secondary subnet / router
All,
I am looking to provide internet access to my internal LAN / WLAN devices on another router. I have configured my second router to connect to the 192.168.1.0/24 network on the mi424wr LAN.
Static routes: 192.168.2.0/24 next hop 192.168.1.254 (secondary router interface connected to m1424wr LAN)
Firewall policy filter: Network Home Inbound and outbound allow access sourced and destined to both subnets.
I have layer 3 conectivity between the routers but I am not able to browse the internet from secondary router 192.168.2.0 network. My default router on the 192.168.2.0/24 is the 192.168.1.1 router.
I tried to modifiy the DNS setting for devices on the 192.168.2.0 net but nothing works. Used 192.168.1.1 (mi424wr interface which the setting for the 192.168.1.0 net devices. Even tried using verizon's DNS server 68.237.161.12 but no internet access. The mi424wr does have a dns server setting which I tried to statically add 192.168.2.x host but that did not work.
So I am not sure if the mi424wr DNS server is not allowing any other subnets beside the 192.168.1.0/24 to access its DNS services or some other policy is needed to be created. My secondary router is not NATing and at a loss.
Tried to research other methods of using my secondary router to connect to internet with the mi424wr-gen3I but nothing seems worth trying. Setting the mi424wr-gen3I to bridge mode would be an option but have not seen any configuration for the REV I router vesion. My last setup worked in bridge mode and STB were functional but VOD was always very choppy. Seem there are some QoS setting the mi424wrI has configure to improve traffic priority for video.
Any assistance appreciated.
RichAs STX said. All you need to do is to connect an ethernet cable from a lan port of the Verizon router to the wan port of your own router. Your own router needs to be configured with an address on the 192.168.1 subnet, either dhcp or static, yours is you say at 192.168.1.254 as is mine. Then you should have configured the dhcp side of your router with a subnet other than 192.168.1 which apparently you have done. You do not need static routes or anything else for devices on the 192.168.2 subnet to access the internet, other than valid DNS server addresses - did you set valid dns servers addresses in the static ip internet connection on your router? You could set it to 192.168.1.1 and pick up whatever dns the vz router is using or you could set it dns servers of your choice, personally I set mine to opeDNS server addresses.
What kind of router is the second router?
Your description of your setup sound OK and the only difference I see between your setup and mine is that you say your second router is not NATing
Maybe you are looking for
-
How do I purge old time capsule names?
I have been unable to get an old 1TB time capsule to run as a back up on time machine with a Mac mini (OSX10.9.5)-I have spent almost two days trying to set it up to work as it should but in the end I have had to come here. On the time capsule, I hav
-
T61 and Windows 8 compatibility
Has anyone loaded Windows 8 on a ThinkPad T61? Is so, were there any incompatibilities? I currently run Vista Business 32-bit on my T61 but am considering moving on to Windows 8. Solved! Go to Solution.
-
Ok so I've finished my site and ready to publish. It seems muse does this strange thing sometimes. I export the files, i publish it, exept when i look on my site online the text and photos are not there but when i go into the program, everything is t
-
Troubles with ALV set_table_for_first_display
Hello people, I am facing an interesting problem. I want do display data from an internal table on an ALV grid. So far, so good, When I am trying do do so again with different recordsets, the ALV displays the data from the first attemp again. e.g.: d
-
What's the beste wireless router for ADSL?
Hello everyone, Since I'm new to the Macworld, I'd like to know what's the best wireless modem to the Macbook. I've been looking forward to the Netgear one, but other options like D-Link that are lesse expensive. So, what's the best option for connec